Hi <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

I am also noticing this with Node v8.9.4 Taken from <a href="https:/

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

Thanks, <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-

[Node v8.9.4] Warning: Use Cipheriv for counter mode of aes-256-ctr about connect-memcached HOT 9 CLOSED

balor commented on August 22, 2024 1

[Node v8.9.4] Warning: Use Cipheriv for counter mode of aes-256-ctr

from connect-memcached.

Comments (9)

balor commented on August 22, 2024 2

All right, decided I'll go with the first option, use createCipheriv exclusively and bump major version to 1.0.0 as this will be breaking changes.

Concretely, if You're using encryption, after upgrade to 1.0.0 old session data will become unreadable. Positive side of this approach is cleaner code and security consistency on designated session data.

from connect-memcached.

balor commented on August 22, 2024 2

I'll try to finish everything till the end of this week.

from connect-memcached.

balor commented on August 22, 2024 1

@chrisiona please do so, it'll definitely motivate me for a new minor release :)

from connect-memcached.

chrisiona commented on August 22, 2024

I am also noticing this with Node v8.9.4

Taken from nodejs/node 16746

It's in the warning: use crypto.createCipheriv(), not crypto.createCipher().

I take it we'll need to patch here:

connect-memcached/lib/connect-memcached.js

Line 202 in 33f19c2

var cipher = this.crypto.createCipher(algo, key), ct = [];

@balor LMK if you'd like a PR

from connect-memcached.

chrisiona commented on August 22, 2024

@balor I'll see what I can do.

from connect-memcached.

mjamado commented on August 22, 2024

Any news about this?

from connect-memcached.

balor commented on August 22, 2024

Ok, found a little time to work on it.

You get the warning because the default algorithm for crypto is aes-256-ctr which is in a counter mode (-ctr) and use of these kind of algorithms together with createCipher function renders security inefficiency, as the same initialization vector is used every time. To be honest this case shouldn't be possible but somehow node crypto module allowed it and now they're trying to fix broken (cryptographically) code by prompting the warning.

It seems that the reasonable fix is to replace createCipher with createCipheriv and generate random iv each time, but that will render current session data incompatible.

Second option is to do a trick similar to this one, which tries to differentiate corrupted sessions and use old function on them exclusively. I'm not a big fan of such solutions to be honest.

Finally, if you really want to fix the security problem, you want not only to use new function for but completely replace the session store with properly encoded data.

What do you think? Feedback needed :)

from connect-memcached.

mjamado commented on August 22, 2024

Thanks, @balor! Do you have an estimate as to when it'll land in NPM?

from connect-memcached.

balor commented on August 22, 2024

As promised, v1.0.0 with changes addressing this issue has been released. Be sure to read the changelog.

from connect-memcached.

[Node v8.9.4] Warning: Use Cipheriv for counter mode of aes-256-ctr about connect-memcached HOT 9 CLOSED

Comments (9)

Related Issues (18)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent